SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. – €24,000 Fine (Spain, 2022)

The electricity and gas company (controller) billed a data subject illegally, in absence of a valid contract for that. On 14 February 2022, the data subject filed a complaint to the Spanish DPA. The data subject provided several invoices and transaction data from his bank account, which were related to a contract that he had not agreed to. The data subject also showed that he had complained about this issue to the controller several times. On 18 April 2022, the controller acknowledged that there had been an internal error which had resulted in the unjustified contracting. The controller used a two-step system for contract-signings over the phone. The first step was informing data subjects on the phone about the nature of the service provided by the controller. The second step followed after data subjects accepted the conditions on the phone, after which the controller would send a contract to the data subject by SMS for a signature in order to give consent. According to the controller, the data subject had accepted the conditions, but did not sign the contract and did therefore also not consent to the contract. However, due to an internal synchronisation error at the side of the controller, it seemed that the data subject had signed the contract by SMS and had consented to the contract. The DPA determined that the controller had violated Article 6(1) GDPR because of a lack of a legal basis for processing. The DPA determined that this was a fraudulent contract because of a missing signature from the data subject. The processing by the controller was carried out without a legitimate reason. The DPA originally fined the controller €30,000. That amount was reduced to €24,000 due to a voluntary payment by the controller.